1. NEXUS HELP
  2. Technical Guides & Release Notes
  3. Technical Guides

Technical Guides

Microsoft Authentication & Access Setup Guide for SSO

This guide outlines the technical requirements for organisations using Microsoft Entra ID (formerly Azure AD) to provide access to Peoplesafe and deploy the Peoplesafe app.

How Authentication Works (SSO)

Peoplesafe uses Single Sign-On (SSO) via Microsoft. This allows users to authenticate using their existing work credentials, ensuring security and reducing password fatigue.

Technical Note: Our integration is built on the OpenID Connect (OIDC) protocol, rather than SAML. This allows for a more streamlined, "consent-based" setup without the need for manual certificate exchanges.

Initial Setup & Admin Consent

To register Peoplesafe as an Enterprise Application in your tenant:

  1. An Azure AD/Entra ID Admin should visit the Peoplesafe Nexus login page: https://nexus.peoplesafe.co.uk/login

  2. Log in using admin credentials.

  3. Select "Grant consent on behalf of the organisation" when prompted.

Once completed, Peoplesafe will automatically appear in your Entra ID Enterprise Applications list, allowing you to apply Conditional Access rules (such as MFA or device compliance) as needed.

User Registration & Nexus Profiles

While Microsoft handles the authentication (verifying who the user is), Nexus handles the authorisation (verifying what they can access).

  • A user will only be able to log in to the Nexus if a Profile exists within Peoplesafe Nexus.

  • A user will only be able to login to the Peoplesafe App if a profile exists and an App subscription is assigned through Nexus.

Note: Even if a user has a valid company email address, they will be denied access until a profile is created in the Nexus portal.

Troubleshooting Access Issues

If a user is unable to log in, check the following:

  • Has the Admin granted consent? Ensure Peoplesafe is visible in your Enterprise Apps list.

  • Is there a Nexus Profile? Verify the email address in Nexus matches the user's Microsoft login.

  • Is a Subscription active? Confirm the user has been assigned a license in Nexus.

  • Conditional Access? Check if your internal IT policies (like "Managed Device Only") are blocking the sign-in attempt.

Technical FAQ: Microsoft Entra ID & OIDC

Does Peoplesafe support SAML 2.0?
No. Peoplesafe uses OpenID Connect (OIDC) for all Microsoft Entra ID integrations. This modern protocol allows for a simpler "Admin Consent" workflow and does not require manual certificate management or metadata XML uploads.
Why do users see "Need Admin Approval" when trying to sign in?
This occurs if your Entra ID tenant has User Consent disabled (a common security hardening practice). To resolve this, an Admin must perform the Initial Setup & Admin Consent steps once to authorize the application for the entire organization.
Can we restrict Peoplesafe access to specific users in Entra ID?
Yes. Once the "Peoplesafe" app appears in your Enterprise Applications list, you can toggle "Assignment required?" to Yes. You can then manually assign specific users or security groups who are permitted to use the integration.
Do we need to share a Client Secret or Metadata URL with Peoplesafe?
No. Because we use a multi-tenant OIDC flow, you do not need to generate or exchange secrets. Consent is granted dynamically when your Admin logs in to Nexus for the first time.
Which OIDC scopes does Peoplesafe request?
We request standard, low-privilege scopes: openid (to verify identity), profile (to read name), and email (to match the user to their Nexus profile). We do not require write-access to your directory.
Does this support Conditional Access?
Absolutely. Because Peoplesafe is registered as an Enterprise Application in your tenant, it is fully compatible with your existing Conditional Access policies, including MFA, Managed Device requirements, and Location-based restrictions.

Was this article helpful?

Have more questions? Submit a request